Common ACL Operations:Configuring a Packet Filtering Rule

Latest reply: Jul 25, 2016 09:45:19 6361 2 0 0

Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP Address (Host Address) and Destination IP Address Segment

To allow the ICMP packets from a host that are destined for a network segment to pass, configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3 that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in ACL 3001.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit icmp source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255
 
 

Configuring a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination Port Number, Source IP Address (Host Address), and Destination IP Address Segment

  • To prohibit Telnet connections between the specified host and the hosts on a network segment, configure a rule in an advanced ACL. For example, to prohibit Telnet connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24, configure the following rule in the advanced ACL deny-telnet.
    <HUAWEI> system-view
    [HUAWEI] acl name deny-telnet
    [HUAWEI-acl-adv-deny-telnet] rule deny tcp destination-port eq telnet source 192.168.1.3 0 destination 192.168.2.0 0.0.0.255 
  • To prohibit the specified hosts from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), configure rules in an advanced ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the following rules in ACL no-web and set the description for the ACL to Web access restrictions.
    <HUAWEI> system-view
    [HUAWEI] acl name no-web
    [HUAWEI-acl-adv-no-web] description Web access restrictions
    [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.3 0
    [HUAWEI-acl-adv-no-web] rule deny tcp destination-port eq 80 source 192.168.1.4 0
    
 
 

Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags

To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow the RST TCP packets through, and Do not Allow the other TCP packet through.

To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.
<HUAWEI> system-view
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
[HUAWEI-acl-adv-3002] display this   // If you do not specify an ID for a created rule, you can view the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID.
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack           // The rule ID allocated by the system is 5.      
#                                                                               
return 
[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
[HUAWEI-acl-adv-3002] display this
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn                
 rule 5 description Allow the ACK TCP packets through                 
 rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst       // The rule ID allocated by the system is 10.        
#                                                                               
return   
[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
[HUAWEI-acl-adv-3002] display this
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack syn                
 rule 5 description Allow the ACK TCP packets through                 
 rule 10 deny tcp source 192.168.2.0 0.0.0.255 tcp-flag rst                
 rule 10 description Allow the RST TCP packets through                
 rule 15 deny tcp source 192.168.2.0 0.0.0.255       //  The rule ID allocated by the system is 15. 
#                                                                               
return   
[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
 
 

Configuring Packet Filtering Rules Based on the Source MAC Address, Destination MAC Address, and Layer 2 Protocol Types

  • To allow the ARP packets with the specified destination and source MAC addresses and Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow the ARP packets with destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule in ACL 4001.
    <HUAWEI> system-view
    [HUAWEI] acl 4001
    [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0806
    
  • To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863, configure the following rule in ACL 4001.
    <HUAWEI> system-view
    [HUAWEI] acl 4001
    [HUAWEI-acl-L2-4001] rule deny l2-protocol 0x8863
 
 

Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and Inner VLAN IDs

To reject the packets from the specified MAC address segments in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject the packets from source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL deny-vlan10-mac.
<HUAWEI> system-view
[HUAWEI] acl name deny-vlan10-mac link
[HUAWEI-acl-L2-deny-vlan10-mac] rule deny vlan-id 10 source-mac 00e0-fc01-0000 ffff-ffff-0000
 
 

Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-Defined Character Strings

  • To reject the ARP packets from the specified host, configure a rule in a user-defined ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the following rule in ACL 5001.

    In the following rule:
    • 0x00000806 indicates the ARP protocol.
    • 0x0000ffff is the character string mask.
    • 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
    • c0a80002 is the hexadecimal format of 192.168.0.2.
    • 26 and 30 respectively indicate the offsets of the higher and lower two bytes in the source IP addresses in ARP packets (without VLAN ID). The source IP address in an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer). Therefore, the source IP address is divided into two segments for matching. The lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
    To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
    Figure 1 Source IP address field offset in Layer 2 header of an ARP packet
    Common ACL Operations:Configuring a Packet Filtering Rule-1918761-1
    <HUAWEI> system-view
    [HUAWEI] acl 5001
    [HUAWEI-acl-user-5001] rule deny l2-head 0x00000806 0x0000ffff 10 0x0000c0a8 0x0000ffff 26 0x00020000 0xffff0000 30
    Common ACL Operations:Configuring a Packet Filtering Rule-1918761-2 NOTE:

    The user ACLs configured on S2750, S5710-C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this configuration, and can match only character strings.

  • To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

    In the following rule:
    • 0x00060000 indicates the TCP protocol.
    • 8 indicates the protocol type offset in the IP packets. (The protocol type field in an IP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4 header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore, the second higher byte among the four bytes behind offset 8 in the IPv4 header is matched.)
    <HUAWEI> system-view
    [HUAWEI] acl name deny-tcp user
    [HUAWEI-acl-user-deny-tcp] rule 5 deny ipv4-head 0x00060000 0x00ff0000 8
    Figure 2 TCP protocol field offset in IPv4 header
    Common ACL Operations:Configuring a Packet Filtering Rule-1918761-3
 
 
 

Related Information

Support Community

 
 
 
  • x
  • convention:

Created Jul 15, 2016 03:56:27 Helpful(0) Helpful(0)

Common ACL Operations:Configuring a Packet Filtering Rule

Thank you
  • x
  • convention:

Created Jul 21, 2016 07:58:10 Helpful(0) Helpful(0)

Common ACL Operations:Configuring a Packet Filtering Rule

Thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top